RED Cybersecurity Requirements FAQs

Article 3.3 (d). Radio equipment does not harm the network or its functioning nor misuse network resources, thereby causing an unacceptable degradation of service.            

'Traffic data' are defined as “any data processed for the purpose of conveyance of a communication on an electronic communication network or for the billing thereof”. Article 2, points (b) of Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications). 

The steps for manufacturers to be able to use the CE marking can be found here.

Details on what’s considered personal data can be found here.

RED Art. 3.3 (d)(e)(f) will align with the existing European Commission rules for compliance as described in the Blue Guide. You can secure an evaluation through a Notified Body or with a self-assessment against harmonized standards, but a Notified Body would be required in the absence of notified standards. In other words, testing will be done against the essential requirements per applicable standards to show conformance, e.g., ETSI EN 303 645 for consumer devices and IEC 62443 industrial automation and control system devices (with some additional tests required). Industrial and consumer IoT devices fall within the scope of RED Art. 3.3(d)(e)(f).

The government intends to extend recognition of the CE marking for placing most goods on the market in Great Britain indefinitely beyond December 2024. These updates apply to the 18 regulations that fall under the Department for Business and Trade (DBT). More information can be found here.

You can secure an evaluation through a Notified Body or with a self-assessment against harmonized standards, but a Notified Body would be required in the absence of notified standards.

The scope of the CRA covers a broader array of devices, software and situations than defined in the scope of RED Article 3.3(d)(e)(f) as it addresses “products with digital elements.” However, there are overlaps. The CRA has the potential to supersede and repeal RED Art.3.3(d)(e)(f).

When defining the impacts of directly vs. indirectly connected devices in terms of RED Art. 3.3(d)(e)(f):

• Article I of Article 3.3(d) of Directive 2014/53/EU shall apply to any radio equipment that can communicate itself over the internet, whether it communicates directly or via any other equipment (“internet-connected radio equipment”).
• The essential requirement set out in Article 3.3(e) applies to devices that are not internet-connected in cases where the device handles personally identifiable information (PII).

Details on the technical scoping requirements for the RED are not yet published as harmonized standards. The revised date for the standardization request for harmonized standards of RED Art.3.3(d)(e)(f) has been extended from October 2023 to December 2023. Once the harmonized standards are released, additional clarity will be provided.

The RED applies to products classified as radio equipment in reference to typical communication equipment such as radio transmitters and wireless phones as well as a wide range of products that integrate LoRaWAN, Wi-Fi, Bluetooth®, NFC, ZigBee, Z Wave and other wireless technologies in all kinds of consumer and professional electronic equipment.

However, the applicability of RED Art. 3.3(d)(e)(f) also depends on existing directives where the devices may be exempt when they apply to other directives such as:

• Medical devices under Regulation (EU) 2017/745 and (EU) 2017/746
• Radio equipment under Regulation (EU) 2018/1139 for civil aviation
• Radio equipment under Regulation (EU) 2019/2144 for motor vehicles
• Radio equipment under Directive (EU) 2019/520 for road toll systems

Accordingly, depending on the use case of the product, it would fall under RED Art. 3.3(d)(e)(f). If products fall under the scope of RED Art. 3.3(d)(e)(f) and are not preceded by another directive, they could also fall into one of two categories against which we can evaluate products:

EN 303 645 for consumer products or IEC 62443 for industrial products.

As RED Art. 3.3(d)(e)(f) addresses devices connected directly or indirectly. It would, however, depend on the use case and any additional supporting applicable directives. The hub/gateway would be the focus of RED compliance in this instance, as would the connected device. Please refer to ETSI EN 303 645 and IEC 62443 (both already published) until the European Commission publishes the relevant harmonized standards (expected Q4 2023).

Products must comply with the regulations and directives in force when they’re manufactured and the Declaration of Conformity (DoC) is issued, meaning existing stock of pre-RED Art. 3.3 (d)(e)(f) RED-compliant devices comply. However, it is still in manufacturers’ best interests to provide secure products to the market. For detailed explanations, please refer to the European Commission’s Blue Guide.

RED Art. 3.3 (d)(e)(f) will align with the existing European Commission rules for compliance as described in the Blue Guide. You can secure an evaluation through a Notified Body or with a self-assessment against harmonized standards, but a Notified Body would be required in the absence of notified standards. In other words, testing will be done against the essential requirements per applicable standards to show conformance, e.g., ETSI EN 303 645 for consumer devices and IEC 62443 industrial automation and control system devices (with some additional tests required). Industrial and consumer IoT devices fall within the scope of RED Art. 3.3(d)(e)(f).

ETSI has published the most well-known security standard for consumer Internet of Things (IoT) devices, ETSI EN 303 645. However, ETSI has been excluded from the standardization request for RED Art. 3.3(d)(e)(f). ETSI EN 303 645 has become the baseline for the majority of IoT security evaluations globally with coverage of 80% of the specifications defined in the essential requirements of RED Art. 3.3(d)(e)(f).

The EU agrees with the content of ETSI EN 303 645; however, its scope is limited to a specific set of consumers’ IoT devices and use cases. Accordingly, when published, we expect the ETSI EN 303 645 standard to heavily influence harmonized standards.

ETSI EN 303 645 addresses secure boot and full root of trust but they are not mandatory for all devices. The harmonized standards will likely take a similar approach.
 

The essential requirements act as a baseline or checklist of requirements against RED Art. 3.3(d)(e)(f). We collaborate with our customers to align with ETSI EN 303 645 and the UL IoT Security Rating Gold Level requirements. These requirements align with what the European Commission has communicated and will be in the final harmonized standards.

Products must comply with the regulations and directives in force upon manufacture and DoC issuance, meaning existing stock of pre-Article 3.3(d)(e)(f) RED cyber-compliant devices should be fine. Please refer to the European Commission’s Blue Guide.

Yes, these devices will likely be in the scope of RED Art. 3.3(d)(e)(f). According to the Commission Delegated Regulation (EU) 2022/30, Article 3.3(d) will apply to all internet- connected radio equipment, with some exceptions for products that have other regulations. Wireless routers and access points will be in the scope of RED Art. 3.3(d)(e)(f).

Yes, it will be the same for Article 3.3. In the absence of harmonized standards, devices must meet the essential requirements. Manufacturers can refer to the ETSI EN 303 645 standards, which are expected to influence the development of the harmonized standards.

These IoT devices will likely be in scope for the RED if there are no other security requirements specifically designed for this product category. Currently, ETSI EN 303 645 focuses on consumer IoT devices. Per the European Commission, “Regulation (EU) 2017/745 of the European Parliament and of the Council lays down rules on medical devices, and Regulation (EU) 2017/746 of the European Parliament and of the Council lays down rules on in vitro diagnostic medical devices. Both Regulations (EU) 2017/745 and (EU) 2017/746 address certain elements of cybersecurity risks associated with the risks addressed by Article 3(3), points (d), (e) and (f), of Directive 2014/53/EU.”

No, medical devices are not within the scope of RED Art. 3.3(d)(e)(f). See: COMMISSION DELEGATED REGULATION (EU) 2022/30 of 29 October 2021, Article 2: “By way of derogation from Article 1, the essential requirements set out in Article 3(3), points (d), (e) and (f), of Directive 2014/53/EU shall not apply to radio equipment to which either of the following Union legislation also applies:

(a)    Regulation (EU) 2017/745 (Medical Device Regulation);
(b)    Regulation (EU) 2017/746 (In vitro diagnostic medical devices (IVD))”

This would depend on a review of the devices in question. Industrial IoT devices have cybersecurity posture and capabilities that, due to their intended use and end customer, exceed those of consumer IoT. However, for compliance requirements, RED Art. 3.3(d)(e)(f) may still apply. Therefore, while these devices will likely be in scope for the RED, they will also probably meet most, if not all, of the requirements. The formal publication of the harmonized standards will provide clarity. However, as IEC 62443 and ETSI EN 303 645 have been mapped to the essential requirements of RED Art. 3.3(d)(e)(f), we can help customers demonstrate compliance by performing the relevant evaluations with minor additional evaluations/testing in the absence of harmonized standards.

We are still unaware of the standard number, as no draft version of the harmonized standard has been released yet. UL Solutions has teams in laboratories globally — including in China — that will be accredited to perform all validations required for compliance with RED Art. 3.3(d)(e)(f). The specifics of each device vary, but broadly speaking, Bluetooth-connected devices are in scope for the RED, putting the device you mentioned in scope.

The text of the RED itself lays out a good measuring stick of what types of devices are in or out of scope. For further reference, especially in terms of existing devices and how new mandates and directives such as RED Art. 3.3 will affect them, the European Commission’s Blue Guide is the best reference. A UL Solutions subject matter expert can help you identify the requirements for your product.

Until the official harmonized standards are published in Q4 2023, we have asked manufacturers to refer to ETSI EN 303 645 and IEC 62443, which are already published standards that heavily influence the development of harmonized standards.

Products must comply with the regulations and directives in force upon manufacture and issuance of the DoC, meaning existing stock of pre-RED Art. 3.3(d)(e)(f) RED-compliant devices should be fine. For detailed explanations, please refer to the European Commission’s Blue Guide.

Yes. ETSI EN 303 645 focuses on consumer IoT devices and applies to network-connected consumer products. Bluetooth is considered a network, even when used in a point-to-point mode. While ETSI EN 303 645 attempts to be technology- agnostic, it includes two examples with Bluetooth, indicating that Bluetooth products are in scope.

Yes, Product A would be in scope. Article 1 of Delegated Act 2022/30 states that it “shall apply to any radio equipment that can communicate itself over the internet, whether it communicates directly or via any other equipment.” Product A communicates with the internet via Product B and would therefore be in scope.

There will be two routes to demonstrate compliance: via a Notified Body such as UL Solutions or via self-assessment. UL Solutions offers support with training, gap analysis, evaluations, testing and conformance reports, which provide capabilities to ultimately demonstrate compliance.

Products must comply with the regulations and directives in force upon manufacture and issuance of the DoC, meaning existing stock of pre-RED Art. 3.3(d)(e)(f)-compliant devices should be fine. For detailed explanations, please refer to the European Commission’s Blue Guide.

Yes. Creating a new enforceable cybersecurity standard is a difficult task, and September 2023 is only months away. The publication of harmonized standards has already been extended to December 2023.

RED Art. 3.3(d) applies to internet-connected products to ensure that products do not negatively affect the network. A connected printer would need to comply with Art. 3.3(d). Article 3.3(e) applies to radio products that process personal, traffic or location data.

A printer is likely to process personal data, even if only temporarily; therefore, Article 3.3(e) would also apply.

No, RED Art. 3.3(d)(e)(f) applies to products regardless of sensitive data.

We will not know the exact specifics until the harmonized standards are published. However, most existing global consumer IoT security standards focus almost exclusively on the device itself, including ETSI EN 303 645. Cloud-based auditing capabilities are separately available to execute against the target of evaluation from an audit perspective or penetration testing.

At the moment, UL Solutions collaborates with its customers to align with ETSI EN 303 645 and the UL IoT Security Rating Gold Level requirements. These align closely with what the European Commission has communicated will be in the final harmonized standards. Generally, products must comply with the regulations and directives in force upon manufacture and issuance of the DoC, meaning existing stock of pre-RED Art. 3.3(d)(e)(f) cyber-compliant devices should be fine. Please refer to the European Commission’s Blue Guide.

RED Art. 3.3(d)(e)(f) will align with the existing European Commission rules for compliance as described in the Blue Guide. You can demonstrate compliance through a Notified Body or self-assessment against harmonized standards, but a Notified Body would be required in the absence of notified standards. In other words, testing will be done against the essential requirements or per applicable standards, such as ETSI EN 303 645 for consumer devices and IEC 62443 for industrial automation and controls systems (with some additional tests required), to show conformance. Industrial and consumer IoT devices are within the scope of RED Art. 3.3(d)(e)(f). Further clarity will likely be provided once the harmonized standards are released.

RED Art. 3.3(d)(e)(f) applies to network-connected radio devices. This definition is broader than consumer IoT and may include industrial and commercial devices and those using short-range communications such as Wi-Fi, Bluetooth and Zigbee.

When the harmonized standards are released, there will be requirements within them for the essential requirements, there isn’t a precise one-to-one mapping between the broad categories of RED Art. 3.3(d)(e)(f) and those particular components of ETSI EN 303 645. However, additional tests can be completed in conjunction with ETSI EN 303 645 to fulfill the requirements in the absence of harmonized standards.

For an example of the tests and methodologies used in evaluating compliance, we suggest referring to the test specifications for ETSI EN 303 645 and ETSI TS 103 701; however, we can also perform additional tests to demonstrate compliance with the essential requirements.